|
By Jim Anderson
In part one,
we discussed why so many information security programs today are
languishing in a state of "flat or down" in budget terms -- carrying a
large number of unrealized plans and projects over several budget
cycles. Although external forces including economic downturn and market
specific slowdowns do have their impact, these external forces alone
often cannot explain why information security makes so little progress.
This phenomenon is often true even in situations where senior infosec
leadership is experienced, holds multiple certifications, and otherwise
commands an excellent grasp of the multiple disciplines of information
security.
What is
often missing is alignment with the business. Good organizational
alignment with the business has two major components. First infosec
leadership must understand the business in terms of how information is
used, the various types of customers, the products, transactions and
costs associated with the businesses. But infosec must also understand
how information security participates in the value proposition for the
customers of the company's products. Does security matter? How do you
know security matters? Is it in your contracts? Do external laws and
regulations require you to touch certain bases when it comes to
information security? The answers to these questions are essential to
understanding how security participates in the success of the company
beyond merely avoiding "something bad happening."
There
are two places to start when considering how to increase alignment of
information security with the business. The first place is with an
inventory of existing security controls. Everything from authentication
to access control to network protections to desktop and server
configuration must appear in that inventory. Next is a thorough
understanding of the product development processes of the company.
Especially important as a key subset within product development is the
information component of the product. In businesses such as financial
services information is as much as 90% or more of the tangible content
of any given product. In a consumer products company, the information
content of the product is a little bit more subtle.
For example you may
make laundry detergent and toothpaste but information about who buys
laundry detergent and toothpaste, how much product has been ordered and
sold in various parts of the world, how much product still resides on
retailer shelves, etc. etc. are all questions that get to the
information content of the product. Anytime information is involved as
an important part of the product, the security of that information --
whether competitive confidentiality or information integrity or other
security value -- becomes an important part of the value proposition.
In a basic industry such as steel manufacture, key information
components include such things as the specification of the product,
quality testing regimes, etc. And almost all businesses have as a major
information product component the customer list, all types of
information about orders, account balances, terms, history and plans.
Once
you've developed an understanding of the product cycle including a
detailed understanding of the information content of the product, you
are ready to think about how to establish and increase the alignment of
your information security program with the business. A good place to
start is by understanding the software development lifecycle within your
company. Is security a required part of the software development
lifecycle? Are you able to say for any given project, what are the
detailed security requirements? If not, find ways to partner with your
counterparts in systems development to get security requirements
thoroughly integrated at the specification and design stage. The result
will be a detailed list of security requirements that can be traced
back to the components that are developed as a part of the project. You
can now get a fairly good insight into the security controls and the
costs of those controls and how they relate directly to specific
products sold to end customers.
Do
your customers ask about information security? Is security a part of
the contracts between your company and its customers? The answers to
these questions provide your next major step in achieving alignment with
the business.
In my consulting practice I often find that the process
of fielding and answering customer's questions about security is handled
very informally. Some sales reps feel very comfortable answering in
detail others ask for assistance from headquarters or specific subject
matter experts within the infosec Department. One of the key elements
in achieving the alignment between information security and the business
is establishing personal relationships with the sales organization and
with individual customers. In regulated industries customers often ask
to speak with the information security leadership providing ready-made
opportunities to establish those relationships. Be in a position to
summarize the impact information security has had on the business in
terms of which key customers and how much revenue is directly related to
information security. Don't get trapped into the thinking that
security alone was or was not responsible for any given sale. Most
products are a mix of product values that include information related,
other brand equity elements, and other intangible factors. However,
when the information security spends time with customers as a part of
the product sell cycle or renewal process, information security owns a
share of the win or the loss of that business. A well aligned
information security function will be able to state precisely those wins
and losses which communicates to the sales organization that
information security is involved and focused on the primary functions of
the organization in security as a product value is specifically identifying
the security components within the product. Then it is possible to say
which components are being added or enhanced with the new release or the
new product. If security is a major cost factor, then controlling
costs by innovating and improving the cost effectiveness of the
operation of security controls becomes a key part of product value.
Of
course underlying all of this discussion is the key assumption that
information security leaders understand the business and can participate
with the leaders of the other functions of the business as different
strategies and implementations are considered. Many information
security leaders have come up through the technical route and may not
feel comfortable interacting with sales or production professionals on
these subjects my advice is: get the knowledge. Become an expert in the
production, marketing and delivery of the products of your company's
and apply that expertise in a way that enhances and focuses the value
you bring through information security as a part of the overall product
value proposition. In this way, you will have maximized the alignment
of information security and will be in the best position to provide the
correct amount of information security regardless of overall business of
funding.
This article was published by Infosec Island.
Only registered users can write comments.
Please login or register. |
